<!DOCTYPE html>
<html lang="en">
<head>

    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />

    <title>An Analysis of Godlua Backdoor</title>
    <meta name="HandheldFriendly" content="True" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />

    <link rel="stylesheet" type="text/css" href="/assets/built/screen.css?v=db215a41fd" />

    <link rel="shortcut icon" href="/favicon.png" type="image/png" />
    <link rel="canonical" href="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" />
    <meta name="referrer" content="no-referrer-when-downgrade" />
    <link rel="amphtml" href="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/amp/" />
    
    <meta property="og:site_name" content="360 Netlab Blog - Network Security Research Lab at 360" />
    <meta property="og:type" content="article" />
    <meta property="og:title" content="An Analysis of Godlua Backdoor" />
    <meta property="og:description" content="Background
On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious
ELF file which was marked by a few vendors as mining related trojan on VT. We
cannot confirm it has mining related module, but we do see it starts to perform
DDoS function recently.

The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua
byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a
co" />
    <meta property="og:url" content="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" />
    <meta property="article:published_time" content="2019-07-01T10:15:25.000Z" />
    <meta property="article:modified_time" content="2019-07-03T08:53:42.000Z" />
    <meta property="article:tag" content="Botnet" />
    <meta property="article:tag" content="Godlua" />
    <meta property="article:tag" content="Backdoor" />
    
    <meta name="twitter:card" content="summary" />
    <meta name="twitter:title" content="An Analysis of Godlua Backdoor" />
    <meta name="twitter:description" content="Background
On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious
ELF file which was marked by a few vendors as mining related trojan on VT. We
cannot confirm it has mining related module, but we do see it starts to perform
DDoS function recently.

The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua
byte-code file loaded by this sample has a magic number of “God”.

Godlua Backdoor has a redundant communication mechanism for C2 connection, a
co" />
    <meta name="twitter:url" content="https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/" />
    <meta name="twitter:label1" content="Written by" />
    <meta name="twitter:data1" content="Alex.Turing" />
    <meta name="twitter:label2" content="Filed under" />
    <meta name="twitter:data2" content="Botnet, Godlua, Backdoor" />
    <meta name="twitter:site" content="@360Netlab" />
    <meta name="twitter:creator" content="@TuringAlex" />
    
    <script type="application/ld+json">
{
    "@context": "https://schema.org",
    "@type": "Article",
    "publisher": {
        "@type": "Organization",
        "name": "360 Netlab Blog - Network Security Research Lab at 360",
        "logo": "https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png"
    },
    "author": {
        "@type": "Person",
        "name": "Alex.Turing",
        "image": {
            "@type": "ImageObject",
            "url": "https://blog.netlab.360.com/content/images/2019/06/turing.PNG",
            "width": 1363,
            "height": 1363
        },
        "url": "https://blog.netlab.360.com/author/alex/",
        "sameAs": [
            "https://twitter.com/TuringAlex"
        ]
    },
    "headline": "An Analysis of Godlua Backdoor",
    "url": "https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/",
    "datePublished": "2019-07-01T10:15:25.000Z",
    "dateModified": "2019-07-03T08:53:42.000Z",
    "keywords": "Botnet, Godlua, Backdoor",
    "description": "Background\nOn April 24, 2019, our Unknown Threat Detection System highlighted a suspicious\nELF file which was marked by a few vendors as mining related trojan on VT. We\ncannot confirm it has mining related module, but we do see it starts to perform\nDDoS function recently.\n\nThe file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua\nbyte-code file loaded by this sample has a magic number of “God”.\n\nGodlua Backdoor has a redundant communication mechanism for C2 connection, a\nco",
    "mainEntityOfPage": {
        "@type": "WebPage",
        "@id": "https://blog.netlab.360.com/"
    }
}
    </script>

    <script src="/public/ghost-sdk.min.js?v=db215a41fd"></script>
<script>
ghost.init({
	clientId: "ghost-frontend",
	clientSecret: "2a7213b591a9"
});
</script>
    <meta name="generator" content="Ghost 2.13" />
    <link rel="alternate" type="application/rss+xml" title="360 Netlab Blog - Network Security Research Lab at 360" href="https://blog.netlab.360.com/rss/" />
    
<script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');

  ga('create', 'UA-83587830-1', 'auto');
  ga('send', 'pageview');

</script>

<!-- Fix first paragraph font size -->
<style type="text/css">
 .post-template .post-content > p:first-child {font-size: 1em;}
</style>

</head>
<body class="post-template tag-botnet tag-godlua tag-backdoor">

    <div class="site-wrapper">

             <header
    class="site-header outer">
    <div class="inner">
        <nav class="site-nav">
    <div class="site-nav-left">
                <a class="site-nav-logo" href="https://blog.netlab.360.com"><img src="https://blog.netlab.360.com/content/images/2019/02/netlab-brand-5.png" alt="360 Netlab Blog - Network Security Research Lab at 360" /></a>
            <ul class="nav" role="menu">
    <li class="nav-botnet" role="menuitem"><a href="https://blog.netlab.360.com/tag/botnet/">Botnet</a></li>
    <li class="nav-dnsmon" role="menuitem"><a href="https://blog.netlab.360.com/tag/dnsmon/">DNSMon</a></li>
    <li class="nav-ddos" role="menuitem"><a href="https://blog.netlab.360.com/tag/ddos/">DDoS</a></li>
    <li class="nav-passivedns" role="menuitem"><a href="https://blog.netlab.360.com/tag/pdns/">PassiveDNS</a></li>
    <li class="nav-marai" role="menuitem"><a href="https://blog.netlab.360.com/tag/mirai/">Marai</a></li>
    <li class="nav-dta" role="menuitem"><a href="https://blog.netlab.360.com/tag/dta/">DTA</a></li>
</ul>

    </div>
    <div class="site-nav-right">
        <div class="social-links">
                <a class="social-link social-link-tw" href="https://twitter.com/360Netlab" title="Twitter" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
</a>
        </div>
            <a class="rss-button" href="https://feedly.com/i/subscription/feed/https://blog.netlab.360.com/rss/" title="RSS" target="_blank" rel="noopener"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><circle cx="6.18" cy="17.82" r="2.18"/><path d="M4 4.44v2.83c7.03 0 12.73 5.7 12.73 12.73h2.83c0-8.59-6.97-15.56-15.56-15.56zm0 5.66v2.83c3.9 0 7.07 3.17 7.07 7.07h2.83c0-5.47-4.43-9.9-9.9-9.9z"/></svg>
</a>
    </div>
</nav>
    </div>
    </header>


    <main id="site-main" class="site-main outer">
        <div class="inner">

            <article class="post-full post tag-botnet tag-godlua tag-backdoor no-image">

                <header class="post-full-header">
                    <section class="post-full-meta">
                        <time class="post-full-meta-date" datetime="2019-07-01">1 July                            2019</time>
                        <span class="date-divider">/</span> <a href="/tag/botnet/">Botnet</a>
                    </section>
                    <h1 class="post-full-title">An Analysis of Godlua Backdoor</h1>
                </header>


                <section class="post-full-content">
                    <div class="post-content">
                        <h3 id="background">Background</h3>
<p>On April 24, 2019, our Unknown Threat Detection System highlighted a suspicious ELF file which was marked by a few vendors as mining related trojan on VT. We cannot confirm it has mining related module, but we do see it starts to perform DDoS function recently.</p>
<p>The file itself is a Lua-based Backdoor, we named it Godlua Backdoor as the Lua byte-code file loaded by this sample has a magic number of “God”.</p>
<p>Godlua Backdoor has a redundant communication mechanism for  C2 connection, a combination of hardcoded dns name, Pastebin.com, GitHub.com as well as DNS TXT are used to store the C2 address, which is not something we see often. At the same time, it uses HTTPS to download Lua byte-code files, and uses DNS over HTTPS to get the C2 name to ensure secure communication between the bots, the Web Server and the C2.</p>
<p>We noticed that there are already 2 versions of Godlua Backdoor and there are ongoing updates. We also observed that attackers has been using Lua command to run Lua code dynamically and initiate HTTP Flood attacks targeting some websites.</p>
<h3 id="overview">Overview</h3>
<p>At present, we see that there are two versions of Godlua. Version 201811051556 is obtained by traversing Godlua download servers and there has been no update on it. Version 20190415103713 ~ 2019062117473 is active and is actively being updated. They are all written in C, but the active one supports more computer platforms and more features. The following is a comparison.<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/brief.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/brief.PNG" class="kg-image"></a></p>
<h3 id="godluabackdoorreverseanalysis">Godlua Backdoor Reverse Analysis</h3>
<h3 id="version201811051556">version 201811051556</h3>
<p>This is the version we found earlier (201811051556). It focuses on the Linux platform and supports two kinds of C2 instructions, to execute Linux system commands and to run custom files.</p>
<h4 id="sampleinformation">Sample information</h4>
<ul>
<li>MD5: 870319967dba4bd02c7a7f8be8ece94f</li>
</ul>
<blockquote>
<p>ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.32, dynamically linked (uses shared libs), for GNU/Linux 2.6.32, stripped</p>
</blockquote>
<h4 id="c2redundantmechanism">C2 redundant mechanism</h4>
<p>This version perform C2 communications in two ways,  hardcoded domain name and Github link.<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/v1.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/v1.PNG" class="kg-image"></a></p>
<p>Its hardcoded C2 domain is: d.heheda.tk<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/1-1.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/1-1.PNG" class="kg-image"></a></p>
<p>It also has a Github page and the real C2 address is in the project description.<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/2-4.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/2-4.PNG" class="kg-image"></a></p>
<h4 id="c2instruction">C2 instruction</h4>
<p>cmd_call, execute Linux system commands<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/3-3.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/3-3.PNG" class="kg-image"></a></p>
<p>cmd_shell, execute custom file<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/4-3.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/4-3.PNG" class="kg-image"></a></p>
<h4 id="c2protocolanalysis">C2 protocol analysis</h4>
<h6 id="packetformat">Packet format</h6>
<table>
<thead>
<tr>
<th>Length</th>
<th>Type</th>
<th>Data</th>
</tr>
</thead>
<tbody>
<tr>
<td>Little endian,2 bytes</td>
<td>1 bytes</td>
<td>(Length -3) bytes</td>
</tr>
</tbody>
</table>
<h6 id="encryptionalgorithm">Encryption Algorithm</h6>
<p>XOR’s Key is randomly generated of 16 bytes of data, the algorithm is as follow:<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/5-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/5-2.PNG" class="kg-image"></a></p>
<h4 id="packetoverview">Packet Overview</h4>
<h6 id="cmd_handshake">cmd_handshake</h6>
<pre><code class="language-bash">packet[0:31]:
24 00 02 ec 86 a3 23 fb d0 d1 e9 e8 5f 23 6f 6d
70 b5 95 24 44 e0 fc 2e 00 00 00 6c 69 6e 75 78
2d 78 38 36

Length:	packet[0:1]               ---&gt;0x0024
Type:	packet[2]                 ---&gt;0x02,handshake
Data:	packet[3:31]
            Data
            Data[0:15]                  ----&gt;xor key
            Data[16:23]                 ----&gt;version,hardcoded,little endian.
            Data[24:31]                 ----&gt;arch,hardcoded.

</code></pre>
<h6 id="cmd_heartbeat">cmd_heartbeat</h6>
<pre><code class="language-bash">packet[0:10]:
0b 00 03 87 19 45 cb 91 d1 d1 a9

Length:		  packet[0:1]                 ---&gt;0x000b
Type:		  packet[2]                   ---&gt;0x03,heartbeat
Data:		  packet[3:10]                ---&gt;xored clock64()
</code></pre>
<h3 id="version2019041510371320190621174731">version 20190415103713 ~ 20190621174731</h3>
<p>This active version runs on both Windows and Linux.<br>
The control module is implemented in Lua and five C2 commands are supported</p>
<h4 id="sampleinformation">Sample information</h4>
<h6 id="version20190415103713">version 20190415103713</h6>
<ul>
<li>MD5: c9b712f6c347edde22836fb43b927633</li>
</ul>
<blockquote>
<p>ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped</p>
</blockquote>
<h6 id="version20190621174731">version 20190621174731</h6>
<ul>
<li>MD5: 75902cf93397d2e2d1797cd115f8347a</li>
</ul>
<blockquote>
<p>ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), statically linked, stripped</p>
</blockquote>
<h4 id="c2redundantmechanism">C2 redundant mechanism</h4>
<p><a href="https://blog.netlab.360.com/content/images/2019/06/godlua.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/godlua.PNG" class="kg-image"></a></p>
<h4 id="stage1url">Stage-1 URL</h4>
<p>The backdoor uses 3 different ways to store the Stage-1 URL. hardcoded ciphertext, Github project description, and Pastebin text.<br>
After the Stage-1 URL is retrieved and decrypted, a start.png file will be downloaded, which is actually a Lua bytecode.<br>
The Bot then loads it into memory and executes it to get the Stage-2 URL.</p>
<h6 id="encryptionalgorithm">Encryption Algorithm</h6>
<ul>
<li>AES，CBC Mode</li>
<li>key：13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A</li>
<li>iv：2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C</li>
</ul>
<h6 id="hardcodedciphertext">Hard coded ciphertext</h6>
<p><strong>version 20190415103713</strong></p>
<ul>
<li>AES ciphertext：03 13 84 29 CC 8B A5 CA AB 05 9E 2F CB AF 5E E6 02 5A 5F 17 74 34 64 EA 5B F1 38 5B 8D B9 A5 3E</li>
<li>Stage-1 URL plaintext：<code>https://d.heheda.tk/%s.png</code></li>
</ul>
<p><strong>version 20190621174731</strong></p>
<ul>
<li>AES ciphertext：F1 40 DB B4 E1 29 D9 DC 8D 78 45 B9 37 2F 83 47 F1 32 3A 11 01 41 07 CD DB A3 7B 1F 44 A7 DE 6C 2C 81 0E 10 E9 D8 E1 03 38 68 FC 51 81 62 11 DD</li>
<li>Stage-1 URL plaintext：<code>https://img0.cloudappconfig.com/%s.png</code></li>
</ul>
<h6 id="githubprojectdescription">Github project description</h6>
<ul>
<li>AES ciphertext：EC 76 44 29 59 3D F7 EE B3 01 90 A9 9C 47 C8 96 53 DE 86 CB DF 36 68 41 60 5C FA F5 64 60 5A E4 AE 95 C3 F5 A6 04 47 CB 26 47 A2 23 80 C6 5F 92</li>
<li>Github URL plaintext：<code>https://api.github.com/repos/helegedada/heihei</code></li>
<li>Decryption Process:<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/8-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/8-2.PNG" class="kg-image"></a></li>
<li>Project description ciphertext: oTre1RVbmjqRn2kRrv4SF/l2WfMRn2gEHpqJz77btaDPlO0R9CdQtMM82uAes+Fb</li>
<li>Stage-1 URL plaintext：<code>https://img1.cloudappconfig.com/%s.png</code></li>
</ul>
<h6 id="pastebintext">Pastebin text</h6>
<ul>
<li>AES ciphertext：19 31 21 32 BF E8 29 A8 92 F7 7C 0B DF DC 06 8E 8E 49 F0 50 9A 45 6C 53 77 69 2F 68 48<br>
DC 7F 28 16 EB 86 B3 50 20 D3 01 9D 23 6C A1 33 62 EC 15</li>
<li>Pastebin URL plaintext：<code>https://pastebin.com/raw/vSDzq3Md</code></li>
<li>Decryption Process:<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/9.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/9.PNG" class="kg-image"></a></li>
<li>Pastebin Ciphertext: G/tbLY0TsMUnC+iO9aYm9yS2eayKlKLQyFPOaNxSCnZpBw4RLGnJOPcZXHaf/aoj</li>
<li>Stage-1 URL plaintext：<code>https://img2.cloudappconfig.com/%s.png</code></li>
</ul>
<h4 id="stage2url">Stage-2 URL</h4>
<p>Here at stage-2, two mechanisms are being used for storing the Stage-2 URL, Github project file and DNS over HTTPS.<br>
After the Stage-2 URL is retrieved and decrypted, a run.png file, also a Lua bytecode, will be downloaded.<br>
Bot will load this file into memory and run it to get Stage-3 C2.</p>
<h6 id="encryptionalgorithm">Encryption Algorithm</h6>
<ul>
<li>AES，CBC Mode</li>
<li>key：22 85 16 13 57 2d 17 90 2f 00 49 18 5f 17 2b 0a</li>
<li>iv：0d 43 36 41 86 41 21 d2 41 4e 62 00 41 19 4a 5c</li>
</ul>
<h6 id="githubprojectfile">Github project file</h6>
<ul>
<li>Github URL is stored in the Lua byte-code file (start.png) in plaintext. We get the following information by disassembling it：<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/a-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/a-2.PNG" class="kg-image"></a></li>
<li>Github project file ciphertext: kI7xf+Q/fXC0UT6hCUNimtcH45gPgG9i+YbNnuDyHyh2HJqzBFQStPvHGCZH8Yoz9w02njr41wdl5VNlPCq18qTZUVco5WrA1EIg3zVOcY8=</li>
<li>Stage-2 URL plaintext：<code>{&quot;u&quot;:&quot;https:\/\/dd.heheda.tk\/%s.png&quot;,&quot;c&quot;:&quot;dd.heheda.tk::198.204.231.250:&quot;}</code></li>
</ul>
<h6 id="dnstxt">DNS TXT</h6>
<ul>
<li>DNS TXT is stored in the Lua byte-code file (start.png) in plaintext. We get the following information by disassembling it：<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/b-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/b-2.PNG" class="kg-image"></a></li>
<li>DNS over HTTPS Request：<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/dnstxt.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/dnstxt.PNG" class="kg-image"></a></li>
<li>DNS TXT ciphertext: 6TmRMwDw5R/sNSEhjCByEw0Vb44nZhEUyUpUR4LcijfIukjdAv+vqqMuYOFAoOpC7Ktyyr6nUOqO9XnDpudVmbGoTeJD6hYrw72YmiOS9dX5M/sPNmsw/eY/XDYYzx5/</li>
<li>Stage-2 URL plaintext：<code>{&quot;u&quot;:&quot;http:\/\/img1.cloudappconfig.com\/%s.png&quot;,&quot;c&quot;:&quot;img1.cloudappconfig.com::43.224.225.220:&quot;}</code></li>
</ul>
<h4 id="stage3c2">Stage-3 C2</h4>
<p>Stage-3 C2 is hardcoded in the Lua byte-code file (run.png). We disassembled it to get the following information.</p>
<p><strong>version 20190415103713</strong><br>
<a href="https://blog.netlab.360.com/content/images/2019/06/c-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/c-2.PNG" class="kg-image"></a></p>
<p><strong>version 20190621174731</strong><br>
<a href="https://blog.netlab.360.com/content/images/2019/06/d-2.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/d-2.PNG" class="kg-image"></a></p>
<h6 id="dnsoverhttpsrequest">DNS Over HTTPS Request</h6>
<p><a href="https://blog.netlab.360.com/content/images/2019/06/e.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/e.PNG" class="kg-image"></a></p>
<h6 id="c2instruction">C2 instruction</h6>
<pre><code>| CMD       | Type |
| --------- | ---- |
| HANDSHAKE | 1    |
| HEARTBEAT | 2    |
| LUA       | 3    |
| SHELL     | 4    |
| UPGRADE   | 5    |
| QUIT      | 6    |
| SHELL2    | 7    |
| PROXY     | 8    |
</code></pre>
<h6 id="c2protocolanalysis">C2 protocol analysis</h6>
<p>Packet format</p>
<table>
<thead>
<tr>
<th>Type</th>
<th>Length</th>
<th>Data</th>
</tr>
</thead>
<tbody>
<tr>
<td>1byte</td>
<td>Big endian,2 bytes</td>
<td>Length bytes</td>
</tr>
</tbody>
</table>
<h6 id="packetoverview">Packet overview</h6>
<ul>
<li>HANDSHAKE<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/f.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/f.PNG" class="kg-image"></a></li>
</ul>
<pre><code>Type:	packet[0]		---&gt;0x01,HANDSHAKE
LENGTH:	packet[1:2]		---&gt;0x0010
Data:	packet[3:end]
            data[0:7]			---&gt;Session
            data[8:end]			---&gt;version,0x00125cfecd8bcb-&gt;20190621174731
</code></pre>
<ul>
<li>
<p>HEARTBEAT<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/g.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/g.PNG" class="kg-image"></a></p>
<pre><code>Send:
	Type: 			packet[0]        ---&gt;0x02,HEARTBEAT
	Length:			packet[1:2]      ---&gt;0x4
	Data:			packet[3:end]    ---&gt;time,0x5d13779b,1561556891
Replay:
	Type:			packet[0]        ---&gt;0x02,HEARTBEAT
	Length:			packet[1:2]      ---&gt;0x4
	Data:			packet[3:end]    ---&gt;1561556891
</code></pre>
</li>
<li>
<p>LUA Payload<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/h.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/h.PNG" class="kg-image"></a></p>
<pre><code>Type:     packet[0]            ---&gt;0x03,LUA
Length:   packet[1:2]          ---&gt;0x00ab
Data:     packet[3:end]        ---&gt;Lua script
</code></pre>
</li>
</ul>
<p>We observe the attacker performing a HTTP Flood attack against www.liuxiaobei.com.<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/j.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/j.PNG" class="kg-image"></a></p>
<h4 id="luascriptanalysis">Lua script analysis</h4>
<p>The Bot sample downloads many Lua scripts when executing, and the scripts can be broken down to three categories: execute, auxiliary, and attack.</p>
<ul>
<li>execute: start.png,run.png,quit.png,watch.png,upgrade.png,proxy.png</li>
<li>auxiliary: packet.png,curl.png,util.png,utils.png</li>
<li>attack: VM.png,CC.png</li>
</ul>
<h6 id="encryptionalgorithm">Encryption Algorithm</h6>
<ul>
<li>AES，CBC Mode</li>
<li>key：13 21 02 00 31 21 94 E2 F2 F1 35 61 93 4C 4D 6A</li>
<li>iv：2B 7E 15 16 28 AE D2 01 AB F7 15 02 00 CF 4F 3C</li>
</ul>
<h6 id="luamagicnumber">Lua magic number</h6>
<p>The decrypted files are all pre-compiled, take upgrade.png as an example, note the highlighted part is the file header.<br>
<a href="https://blog.netlab.360.com/content/images/2019/06/k.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/k.PNG" class="kg-image"></a>You can see that the magic number has changed from “Lua” to “God”.</p>
<p>The malware author also seems to set a trap for researcher here by manually changing the LuaVerion number in the sample to 5.1.4 ($LuaVersion: God 5.1.4 C$$LuaAuthors: R. $). We think the real version should be definitely newer than 5.2.</p>
<h6 id="decompile">Decompile</h6>
<p>In order to decompile the above script, we have to know what changes have been made to Lua. After some analysis, we concluded that the modification can be divided into two major sections: Lua Header and Lua Opcode.</p>
<p>Decompiled by Luadec[<a href="https://github.com/viruscamp/luadec">1]</a><br>
<a href="https://blog.netlab.360.com/content/images/2019/06/l.PNG"><img src="https://blog.netlab.360.com/content/images/2019/06/l.PNG" class="kg-image"></a></p>
<h2 id="suggestions">Suggestions</h2>
<p>We have yet to see the whole picture of how exactly the Godlua backdoor infects the targets, at this point we know at least some linux users were infected via the Confluence exploit(CVE-2019-3396), if our readers have more information, feel free to contact us.</p>
<p>We suggest that at least to monitor and block the relevant IP, URL and domain name of Godlua Backdoor on your network.</p>
<h4 id="contactus">Contact us</h4>
<p>Readers are always welcomed to reach us on <a href="https://twitter.com/360Netlab"><strong>twitter</strong></a>, WeChat 360Netlab or email to netlab at 360 dot cn.</p>
<h4 id="ioclist">IoC list</h4>
<p>Sample MD5</p>
<pre><code>870319967dba4bd02c7a7f8be8ece94f
c9b712f6c347edde22836fb43b927633
75902cf93397d2e2d1797cd115f8347a
</code></pre>
<p>URL</p>
<pre><code>https://helegedada.github.io/test/test
https://api.github.com/repos/helegedada/heihei
http://198.204.231.250/linux-x64
http://198.204.231.250/linux-x86
https://dd.heheda.tk/i.jpg
https://dd.heheda.tk/i.sh
https://dd.heheda.tk/x86_64-static-linux-uclibc.jpg
https://dd.heheda.tk/i686-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/i.jpg
https://dd.cloudappconfig.com/i.sh
https://dd.cloudappconfig.com/x86_64-static-linux-uclibc.jpg
https://dd.cloudappconfig.com/arm-static-linux-uclibcgnueabi.jpg
https://dd.cloudappconfig.com/i686-static-linux-uclibc.jpg
http://d.cloudappconfig.com/i686-w64-mingw32/Satan.exe
http://d.cloudappconfig.com/x86_64-static-linux-uclibc/Satan
http://d.cloudappconfig.com/i686-static-linux-uclibc/Satan
http://d.cloudappconfig.com/arm-static-linux-uclibcgnueabi/Satan
https://d.cloudappconfig.com/mipsel-static-linux-uclibc/Satan
</code></pre>
<p>C2 Domain</p>
<pre><code>d.heheda.tk
dd.heheda.tk
c.heheda.tk
d.cloudappconfig.com
dd.cloudappconfig.com
c.cloudappconfig.com
f.cloudappconfig.com
t.cloudappconfig.com
v.cloudappconfig.com
img0.cloudappconfig.com
img1.cloudappconfig.com
img2.cloudappconfig.com
</code></pre>
<p>IP</p>
<pre><code>198.204.231.250     	United States       	ASN 33387           	DataShack, LC       
104.238.151.101     	Japan               	ASN 20473           	Choopa, LLC         
43.224.225.220      	Hong Kong           	ASN 22769           	DDOSING NETWORK     
</code></pre>

                    </div>
                </section>


                <footer class="post-full-footer">


                    <section class="post-full-authors">

    <div class="post-full-authors-content">
        <p>This post was a collaboration between</p>
        <p><a href="/author/alex/">Alex.Turing</a>, <a href="/author/yegenshen/">Genshen Ye</a></p>
    </div>

    <ul class="author-list">
        <li class="author-list-item">

            <div class="author-card">
                <div class="basic-info">
                        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                    <h2>Alex.Turing</h2>
                </div>
                <div class="bio">
                        <p>Read <a href="/author/alex/">more posts</a> by this author.</p>
                </div>
            </div>

                <a href="/author/alex/" class="moving-avatar">
                    <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                </a>

        </li>
        <li class="author-list-item">

            <div class="author-card">
                <div class="basic-info">
                        <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                    <h2>Genshen Ye</h2>
                </div>
                <div class="bio">
                        <p>Read <a href="/author/yegenshen/">more posts</a> by this author.</p>
                </div>
            </div>

                <a href="/author/yegenshen/" class="moving-avatar">
                    <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                </a>

        </li>

    </ul>

</section>


                </footer>

                <div id="disqus_thread"></div>
                <script>
                    var disqus_config = function () {
                        this.page.url = "https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/";
                        this.page.identifier = "ghost-5d1987ea0bbc140007c57cf0"
                    };
                    (function () {
                        var d = document, s = d.createElement('script');
                        s.src = 'https://blog-netlab-360.disqus.com/embed.js';
                        s.setAttribute('data-timestamp', +new Date());
                        (d.head || d.body).appendChild(s);
                    })();
                </script>

            </article>

        </div>
    </main>

    <aside class="read-next outer">
        <div class="inner">
            <div class="read-next-feed">
                <article class="read-next-card"   style="background-image: url(https://blog.netlab.360.com/content/images/size/w600/2019/02/astronomy-constellation-dark-998641-4.jpg)"
                     >
                    <header class="read-next-card-header">
                        <small class="read-next-card-header-sitetitle">&mdash; 360 Netlab Blog - Network Security Research Lab at 360 &mdash;</small>
                        <h3 class="read-next-card-header-title"><a href="/tag/botnet/">Botnet</a></h3>
                    </header>
                    <div class="read-next-divider"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 14.5s2 3 5 3 5.5-2.463 5.5-5.5S21 6.5 18 6.5c-5 0-7 11-12 11C2.962 17.5.5 15.037.5 12S3 6.5 6 6.5s4.5 3.5 4.5 3.5"/></svg>
</div>
                    <div class="read-next-card-content">
                        <ul>
                            <li><a href="/yi-jing-you-xxxge-jia-zu-de-botnetli-yong-log4shelllou-dong-chuan-bo-wei-da-bu-ding-de-gan-jin-liao/">已有10个家族的恶意样本利用Log4j2漏洞传播</a></li>
                            <li><a href="/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/">Threat Alert: Log4j Vulnerability Has Been adopted by two Linux Botnets</a></li>
                            <li><a href="/wei-xie-kuai-xun-log4jlou-dong-yi-jing-bei-yong-lai-zu-jian-botnet-zhen-dui-linuxshe-bei/">威胁快讯：Log4j漏洞已经被用来组建botnet，针对Linux设备</a></li>
                        </ul>
                    </div>
                    <footer class="read-next-card-footer">
                        <a href="/tag/botnet/">See all 98 posts →</a>
                    </footer>
                </article>

                <article class="post-card post tag-godlua tag-botnet tag-backdoor no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/an-analysis-of-godlua-backdoor/">

            <header class="post-card-header">
                    <span class="post-card-tags">Godlua</span>
                <h2 class="post-card-title">Godlua Backdoor分析报告</h2>
            </header>

            <section class="post-card-excerpt">
                <p>背景介绍 2019年4月24号，360Netlab未知威胁检测系统发现一个可疑的ELF文件，目前有一部分杀软误识别为挖矿程序。通过详细分析，我们确定这是一款Lua-based Backdoor，因为这个样本加载的Lua字节码文件幻数为“God”，所以我们将它命名为Godlua Backdoor。 Godlua Backdoor会使用硬编码域名，Pastebin.com，GitHub.com和DNS TXT记录等方式，构建存储C2地址的冗余机制。同时，它使用HTTPS加密下载Lua字节码文件，使用DNS over HTTPS获取C2域名解析，保障Bot与Web Server和C2之间的安全通信。 我们观察到Godlua Backdoor实际上存在2个版本，并且有在持续更新。我们还观察到攻击者会通过Lua指令，动态运行Lua代码，并对一些网站发起HTTP Flood</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Alex.Turing
                    </div>

                        <a href="/author/alex/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                        </a>
                </li>
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Genshen Ye
                    </div>

                        <a href="/author/yegenshen/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">10 min read</span>

        </footer>

    </div>

</article>

                <article class="post-card post no-image">


    <div class="post-card-content">

        <a class="post-card-content-link" href="/an-analysis-of-linux-ngioweb-botnet/">

            <header class="post-card-header">
                <h2 class="post-card-title">Linux.Ngioweb分析报告</h2>
            </header>

            <section class="post-card-excerpt">
                <p>背景介绍 2019年5月27号，360Netlab 未知威胁检测系统发现一个可疑的ELF文件，目前仅有一款杀毒引擎检测识别。通过详细分析，我们确定这是一款Proxy Botnet，并且是Win32.Ngioweb[1]恶意软件的Linux版本变种，我们将它命名为Linux.Ngioweb。它与Win32.Ngioweb共用了大量代码，不同的是它新增了DGA特性。我们注册了其中一个DGA C2域名(enutofish-pronadimoful-multihitision.org)，并对它进行Sinkhole处理以此来观察Bot连接情况。 此外，我们还观察到大量部署WordPress的Web服务器被植入Linux.Ngioweb 恶意软件。尽管Bot程序由Web容器对应的用户组运行并且权限很小但还是能够正常工作，并被充当Rotating Reverse Proxy[2]节点。 目前，</p>
            </section>

        </a>

        <footer class="post-card-meta">

            <ul class="author-list">
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Alex.Turing
                    </div>

                        <a href="/author/alex/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2019/06/turing.PNG" alt="Alex.Turing" />
                        </a>
                </li>
                <li class="author-list-item">

                    <div class="author-name-tooltip">
                        Genshen Ye
                    </div>

                        <a href="/author/yegenshen/" class="static-avatar">
                            <img class="author-profile-image" src="https://blog.netlab.360.com/content/images/size/w100/2017/10/1662072805.jpg" alt="Genshen Ye" />
                        </a>
                </li>
            </ul>

            <span class="reading-time">15 min read</span>

        </footer>

    </div>

</article>

            </div>
        </div>
    </aside>

    <div class="floating-header">
    <div class="floating-header-logo">
        <a href="https://blog.netlab.360.com">
                <img src="https://blog.netlab.360.com/content/images/size/w30/2019/02/netlab_xs-2.png" alt="360 Netlab Blog - Network Security Research Lab at 360 icon" />
            <span>360 Netlab Blog - Network Security Research Lab at 360</span>
        </a>
    </div>
    <span class="floating-header-divider">&mdash;</span>
    <div class="floating-header-title">An Analysis of Godlua Backdoor</div>
    <div class="floating-header-share">
        <div class="floating-header-share-label">Share this <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
    <path d="M7.5 15.5V4a1.5 1.5 0 1 1 3 0v4.5h2a1 1 0 0 1 1 1h2a1 1 0 0 1 1 1H18a1.5 1.5 0 0 1 1.5 1.5v3.099c0 .929-.13 1.854-.385 2.748L17.5 23.5h-9c-1.5-2-5.417-8.673-5.417-8.673a1.2 1.2 0 0 1 1.76-1.605L7.5 15.5zm6-6v2m-3-3.5v3.5m6-1v2"/>
</svg>
</div>
        <a class="floating-header-share-tw" href="https://twitter.com/share?text=An%20Analysis%20of%20Godlua%20Backdoor&amp;url=https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/"
            onclick="window.open(this.href, 'share-twitter', 'width=550,height=235');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M30.063 7.313c-.813 1.125-1.75 2.125-2.875 2.938v.75c0 1.563-.188 3.125-.688 4.625a15.088 15.088 0 0 1-2.063 4.438c-.875 1.438-2 2.688-3.25 3.813a15.015 15.015 0 0 1-4.625 2.563c-1.813.688-3.75 1-5.75 1-3.25 0-6.188-.875-8.875-2.625.438.063.875.125 1.375.125 2.688 0 5.063-.875 7.188-2.5-1.25 0-2.375-.375-3.375-1.125s-1.688-1.688-2.063-2.875c.438.063.813.125 1.125.125.5 0 1-.063 1.5-.25-1.313-.25-2.438-.938-3.313-1.938a5.673 5.673 0 0 1-1.313-3.688v-.063c.813.438 1.688.688 2.625.688a5.228 5.228 0 0 1-1.875-2c-.5-.875-.688-1.813-.688-2.75 0-1.063.25-2.063.75-2.938 1.438 1.75 3.188 3.188 5.25 4.25s4.313 1.688 6.688 1.813a5.579 5.579 0 0 1 1.5-5.438c1.125-1.125 2.5-1.688 4.125-1.688s3.063.625 4.188 1.813a11.48 11.48 0 0 0 3.688-1.375c-.438 1.375-1.313 2.438-2.563 3.188 1.125-.125 2.188-.438 3.313-.875z"/></svg>
        </a>
        <a class="floating-header-share-fb" href="https://www.facebook.com/sharer/sharer.php?u=https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/"
            onclick="window.open(this.href, 'share-facebook','width=580,height=296');return false;">
            <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><path d="M19 6h5V0h-5c-3.86 0-7 3.14-7 7v3H8v6h4v16h6V16h5l1-6h-6V7c0-.542.458-1 1-1z"/></svg>
        </a>
    </div>
    <progress id="reading-progress" class="progress" value="0">
        <div class="progress-container">
            <span class="progress-bar"></span>
        </div>
    </progress>
</div>




        <footer class="site-footer outer">
            <div class="site-footer-content inner">
                <section class="copyright"><a href="https://blog.netlab.360.com">360 Netlab Blog - Network Security Research Lab at 360</a> &copy; 2021</section>
                <nav class="site-footer-nav">
                    <a href="https://blog.netlab.360.com">Latest Posts</a>
                    
                    <a href="https://twitter.com/360Netlab" target="_blank" rel="noopener">Twitter</a>
                    <a href="https://ghost.org" target="_blank" rel="noopener">Ghost</a>
                </nav>
            </div>
        </footer>

    </div>


    <script>
        var images = document.querySelectorAll('.kg-gallery-image img');
        images.forEach(function (image) {
            var container = image.closest('.kg-gallery-image');
            var width = image.attributes.width.value;
            var height = image.attributes.height.value;
            var ratio = width / height;
            container.style.flex = ratio + ' 1 0%';
        })
    </script>


    <script
        src="https://code.jquery.com/jquery-3.2.1.min.js"
        integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
        crossorigin="anonymous">
    </script>
    <script type="text/javascript" src="/assets/built/jquery.fitvids.js?v=db215a41fd"></script>


    <script>
// Adds delay to author card dropups to disappear. This gives enough
// time for the user to interact with the author card while they move
// the mouse from the avatar to the card. Also makes space for the
// interacted avatar.
$(document).ready(function () {

    var hoverTimeout;

    $('.author-list-item').hover(function(){
        var $this = $(this);

        clearTimeout(hoverTimeout);

        $('.author-card').removeClass('hovered');
        $(this).children('.author-card').addClass('hovered');

    }, function() {
        var $this = $(this);

        hoverTimeout = setTimeout(function() {
            $this.children('.author-card').removeClass('hovered');
        }, 800);
    });

});
</script>

    <script>

        // NOTE: Scroll performance is poor in Safari
        // - this appears to be due to the events firing much more slowly in Safari.
        //   Dropping the scroll event and using only a raf loop results in smoother
        //   scrolling but continuous processing even when not scrolling
        $(document).ready(function () {
            // Start fitVids
            var $postContent = $(".post-full-content");
            $postContent.fitVids();
            // End fitVids

            var progressBar = document.querySelector('#reading-progress');
            var header = document.querySelector('.floating-header');
            var title = document.querySelector('.post-full-title');

            var lastScrollY = window.scrollY;
            var lastWindowHeight = window.innerHeight;
            var lastDocumentHeight = $(document).height();
            var ticking = false;

            function onScroll() {
                lastScrollY = window.scrollY;
                requestTick();
            }

            function onResize() {
                lastWindowHeight = window.innerHeight;
                lastDocumentHeight = $(document).height();
                requestTick();
            }

            function requestTick() {
                if (!ticking) {
                    requestAnimationFrame(update);
                }
                ticking = true;
            }

            function update() {
                var trigger = title.getBoundingClientRect().top + window.scrollY;
                var triggerOffset = title.offsetHeight + 35;
                var progressMax = lastDocumentHeight - lastWindowHeight;

                // show/hide floating header
                if (lastScrollY >= trigger + triggerOffset) {
                    header.classList.add('floating-active');
                } else {
                    header.classList.remove('floating-active');
                }

                progressBar.setAttribute('max', progressMax);
                progressBar.setAttribute('value', lastScrollY);

                ticking = false;
            }

            window.addEventListener('scroll', onScroll, { passive: true });
            window.addEventListener('resize', onResize, false);

            update();

        });
    </script>


    

</body>
</html>
